Why Block by IP address?

South Korea has an advanced Internet infrastructure. Yet when implementing Internet filtering South Korean ISP’s have chosen to block by IP address. As a result, while trying to block 31 web sites they have actually blocked 3,167 unrelated domain names hosted on the same servers as the sites they intended to block. We’ve seen this type of over blocking in India, and previously, when filtering first started in Iran. Even China, with an advanced filtering system, still blocks by IP address (along with other mechanisms such as key words in URL paths). Also, when Pennsylvania state law required some of the world’s top ISP’s such as AOL, Verizon and Worldcom to filter they also implemented this exact form of filtering. The filtering in Pennsylvania had these exact unintended consequences (blocking content that was never intended to be blocked) which ended up being the main reason that legal action was able to reverse the law in that case. So why do countries continue to block by IP address?

The ruling in the Pennsylvania case explains three techniques that ISP’s can use to implement Internet filtering:

To perform DNS filtering, an ISP makes entries in the DNS servers under its control that prevent requests to those servers for a specific web site’s fully qualified domain name (found in the requested site’s URL) from resolving to the web site’s correct IP address.

To implement IP filtering, an ISP first determines the IP address to which a specific URL resolves. It then makes entries in routing equipment that it controls that will stop all outgoing requests for the specific IP address.

URL filtering involves the placement of an additional device, or in some cases the reconfiguration of an existing “router” or other device, in the ISP’s network to (a) reassemble the packets for Internet traffic flowing through its network, (b) read each http web request, and (c) if the requested URL in the web request matches one of the URLs specified in a blocking order, discard or otherwise block the http request.

DNS filtering is not a preferred choice for most ISP’s. Not only is it easy to circumvent (by accessing an IP address for instance, or using a different DNS server) it is not something that network administrators normally do. (It also over blocks because all sub-domains will also be blocked if a domain name is blocked.)

When AOL implemented filtering (on its entire network) to comply with Pennsylvania state law, they did not implement DNS filtering because they “would have been required to make entries manually in all of its 100 DNS servers to implement a DNS block.” Worldcom was also unable to implement DNS filtering.

None of the ISP’s affected by the Pennsylvania state law implemented URL filtering. Even AOL, which already had “parental control” filtering available for some of its customers – which is capable of filtering by URL – was unable to expand that service to cover its entire network.

AOL engineer Patterson explained that to undertake URL filtering for all AOL members would require expenditures for development, installation, new hardware and software, management costs, performance assessments, customer support, and further reengineering of the network. It would take years to implement and be “extraordinarily expensive.”

Most ISP’s do not have the capacity to filter by URL and the ones that do would need to purchase a significant amount of equipment to implement URL filtering without a significant drop in performance. For example, “[i]t would cost Verizon ‘well into seven figures’ to implement URL filtering across its entire network.”

Blocking by IP is effective (the target site is effectively blocked) and no new equipment needs to be purchased. It can be implemented in an instant as all the required technology and expertise is readily available. Many ISP’s already block IP addresses to combat spam and viruses. Large networks, such as Worldcom, already have the capacity in place to automatically update thousands of routers to block IP addresses.

Countries new to filtering will generally start by blocking by IP before moving on to more expensive filtering solutions. ISP’s must often respond quickly and effectively to blocking orders from the government or national security/intelligence services. So they block what was requested in the cheapest way using technology already integrated into their normal network environment. They most likely do not consider over blocking due to virtual hosting, or consider it acceptable collateral damage.

This is now happening in Canada as well. The largest Internet Service Provider Bell Sympatico has been blocking server IP addresses that contain multiple domains/websites. They have even blocked servers at reputable locations like Yahoo Web Hosting.

It’s like banning everyone wearing a red shirt from entering your store because someone who robbed you was wearing a red shirt.